PraisonAI Multi-Agent System Sandbox Escape Vulnerability in Code Execution Tool

A vulnerability exists in the PraisonAI multi-agent system, specifically in the 'execute_code()' function of the 'praisonaiagents.tools.python_tools' module, prior to version 1.5.115. The issue arises because the default sandbox mode runs user code in a subprocess with a restricted 'builtins' dictionary and an AST-based blocklist. However, the blocklist in the subprocess wrapper only includes 11 attribute names, omitting key attributes that could be exploited to escape the sandbox. This allows access to the real Python builtins of the subprocess, from which 'exec' can be retrieved and used to execute arbitrary code, bypassing all remaining security measures.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the host machine, with the executed commands running in the context of the user who initiated the subprocess. This could lead to unauthorized access to files, including sensitive information such as credentials and API keys, as well as environment variables. The vulnerability also allows for network access, enabling outbound connections to attacker-controlled servers, and could facilitate lateral movement within a network.

Reproduction

The vulnerability can be reproduced by setting the 'PRAISONAI_AUTO_APPROVE' environment variable to 'true', which allows for automatic approval of code execution requests. Once this is set, the 'execute_code' function can be called with a payload that exploits the missing attributes in the subprocess blocklist. The payload should be crafted to raise an exception, which can then be used to access the omitted attributes and retrieve the 'exec' function from the builtins. This 'exec' function can then be used to execute arbitrary commands on the host system, such as 'id' to display user information.

Remediation

Users can update to PraisonAI version 1.5.115 or later, where this vulnerability has been fixed.